04-01-2022 01:39 AM - last edited on 04-20-2022 08:36 AM by RPrasadi
Hello Prisma Cloud users,
I'm sharing with you some research I did this morning that you may find interesting. We want to detect and prevent when a resource is created in an unauthorized region.
config from cloud.resource where cloud.type = 'azure' AND cloud.region NOT IN ( 'Azure France Central' , 'Azure France South' , 'Azure Germany Central' , 'Azure Germany Northeast' , 'Azure Germany North' , 'Azure Germany West Central' )
You can specify your cloud types, your cloud regions and you can add all variables you want.
For example I can use api.name if I want to check a specific type of resources.
api.name = 'azure-kubernetes-cluster' # If want want to test my AKS clusters
Have a good journey in the world of RQL queries 😉
07-22-2022 02:10 PM - edited 07-22-2022 02:11 PM
This can be accomplished via targeting specific regions using the alert rule. The filters such as cloud.region and cloud.account are meant to be used in the investigate portion of Prisma, but are not respected if turned into a policy. This is due to how targeting is handled via the alert rule. With this in mind, you can create a query to look at an api, then target regions outside of the ones normally used by the team. You can find more details here - https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-alerts/... https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-policies/creat...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!